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Abstract 

Oblivious transfer is a fundamental primitive in cryptography. While perfect in- 
formation theoretic security is impossible, quantum oblivious transfer protocols can 
limit the dishonest players' cheating. Finding the optimal security parameters in such 
protocols is an important open question. In this paper we show that every l-out-of-2 
oblivious transfer protocol allows a dishonest party to cheat with probability bounded 
below by a constant strictly larger than 1/2. Alice's cheating is defined as her prob- 
ability of guessing Bob's index, and Bob's cheating is defined as his probability of 
guessing both input bits of Alice. In our proof, we relate these cheating probabilities 
to the cheating probabilities of a coin flipping protocol and conclude by using Kitaev's 
coin flipping lower bound. Then, we present an oblivious transfer protocol with two 
messages and cheating probabilities at most 3/4. Last, we extend Kitaev's semidefinitc 
programming formulation to more general primitives, where the security is against a 
dishonest player trying to force the outcome of the other player, and prove optimal 
lower and upper bounds for them. 



1 Introduction 



x 



Quantum information enables us to do cryptography with information theoretic security. 
The first breakthrough result in quantum cryptography is the unconditionally secure key 
distribution protocol of Bennett and Brassard [BB84 . Since then, a long series of work has 
studied which other cryptographic primitives are possible in the quantum world. However, 
the subsequent results were negative. Mayers and Lo, Chau proved the impossibility of 
secure ideal quantum bit commitment and oblivious transfer and consequently of any type 
of two-party secure computation [May97 ILC97J. IDKSW07] . On the other hand, several 
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imperfect variants of these primitives have been shown to be possible. Finding the optimal 
parameters for such fundamental primitives has been since an important open question. 
The reason for looking at these abstract primitives is that they are the basis for all cryp- 
tographic protocols one may wish to construct, including identification schemes, digital 
signatures, electronic voting, etc. Let us emphasize that in this paper we only look at 
information theoretic security and we do not discuss computational security or security in 
restricted models like the bounded-storage or noisy-storage model. 

We start with coin flipping, which was first proposed by Blum [Blu8l] and has since 
found numerous applications in two-party secure computation. Even though the results 
of Mayers and of Lo and Chau exclude the possibility of perfect quantum coin flipping, 
i.e., where the resulting coin is perfectly unbiased, it still remained open whether one 
can construct a quantum protocol where no player could bias the coin with probability 
1. Aharonov et al. [ATVYOO] provided such a protocol where no dishonest player could 
bias the coin with probability higher than 0.9143. Then, Ambainis jAmbOlj described an 
improved protocol whose cheating probability was at most 3/4. Subsequently, a number of 
different protocols had been proposed [SR01, NS 031 IKN04] that achieved the same bound 
of 3/4. 

On the other hand, Kitaev [Kit03], using a formulation of quantum coin flipping as 
semidefinite programs proved a lower bound of 1/2 on the product of the cheating prob- 
abilities for Alice and Bob (see [ABDR04J). In other words, no quantum coin flipping 
protocol can achieve a cheating probability less than l/v2 for both Alice and Bob. 

The question of whether 3/4 or l/v2 was the right answer has recently been resolved 
by Chailloux and Kerenidis [CK09| who described a protocol with cheating probability 
arbitrarily close to l/v2- In their protocol they use as a subroutine a weaker variant of 
coin flipping which is referred to as weak coin flipping. 

Weak coin flipping protocols with cheating probabilities less than 3/4 were first con- 
structed in |SR02t I Amb02l IKN04] . The best bound was in fact l/\/2 until the breakthrough 
result by Mochon who described a protocol with cheating probability 2/3 |Moc05| and then 
a protocol that achieves a cheating probability of 1/2 + e for any e > |Moc07| . Hence 
the optimal biases for weak and strong coin flipping are now known. 

The question is still unresolved for quantum bit commitment. On one hand, a bit 
commitment protocol implies a coin flipping protocol with the same parameters. In fact, 
most of the known strong coin flipping protocols are of this form: Alice first quantumly 
commits to a bit a. Then, Bob announces a bit b. Last, Alice reveals bit a and the result 
of the coin flip is c = a ® b. Hence, Kitaev's lower bound states that no quantum bit 
commitment protocol can achieve cheating probabilities lower than l/\/2. On the other 
hand, the best protocols we know achieve a value of 3/4. In fact, the only strong coin 
flipping protocol that achieves a value better than 3/4 is the optimal protocol of Chailloux- 
Kerenidis, which is not based on a quantum bit commitment scheme, but on Mochon's weak 
coin flipping protocol. Hence, the question of the optimal bias for quantum bit commitment 
remains open. 



In this paper, we focus on oblivious transfer, which is a universal primitive for any two- 
party secure computation [Rab81, EGL82, Cre87). We define a l-out-of-2 random oblivious 
transfer protocol with bias e, denoted here as random-OT, to be a protocol where: 

• Alice outputs two uniformly random bits (xq, xi) 

• Bob outputs Xb for a uniformly random choice of b 

• Aot '■= sup{Pr[Alice guesses b and Bob does not abort ]} = ^ + ea 

• Bot '■= sup{Pr[Bob guesses (xo,xi) and Alice does not abort ]} = \+£b 

• The bias of the protocol is defined as e := maxje^, eb} 

where the suprema are taken over all strategies for Alice and Bob respectively. Note that in 
our definition, the bias is not defined just as an upper bound on the cheating probabilities 
but corresponds to the optimal cheating probability. 

We note here that an honest Bob can learn both bits with probability 1/2, since he can 
learn one bit prefectly and can make a random guess for the other bit. 

There is also another variant, denoted as OT, where Alice and Bob have specific values 
of (xo, ^l) and b as inputs. We show that the two notions are equivalent with respect to e. 

The first impossibility result for quantum OT with information theoretic security was 
shown by Lo |Lo97| . The main idea is that if Alice has no information about Bob's index 
b then Bob can learn both bits in the following way: first, Bob honestly runs the protocol 
with b = to learn xq with probability 1; then he locally applies a unitary to his part of the 
joint final state in order to transform the joint state to the joint final state in the case of 
6 = 1 and hence learn x\. Since, Bob can learn each bit with probability 1, his measurement 
does not change the state and hence he can perform both of them sequentially. 

However, not much was known about the best possible bias that one can get for OT. In 
high level, OT is the "strongest" primitive, since it implies bit commitment, coin flipping, 
and in fact any two-party functionality. However, when one looks at the optimal constant 
values for the bias, then one needs to be more careful. For example, the standard way of 
constructing a bit commitment protocol from OT is the following: Alice and Bob perform 
OT with inputs Xq, X\, where xq © x\ is the committed bit. Since, Bob can learn only one 
of the two inputs, he has no information about the committed bit. On the other hand, in 
the reveal phase, Alice reveals both bits, and since she has no information about which one 
Bob has learnt, if she wants to change her mind without getting caught, she can only do 
it with probability 1/2 (hence her cheating probability is 3/4). Classically, one can then 
repeat this protocol many times in order to take this probability close to 1/2. As we can 
see, a perfect OT protocol does not automatically give a perfect bit commitment protocol, 
as there is a loss in the parameters. Hence, Kitaev's lower bound does not a priori hold for 
OT ', since we do not know how to easily convert an OT protocol to a coin flipping protocol 
without any loss. 



Let us also note that in the quantum setting, one can use a large number of bit com- 
mitment protocols in order to construct an OT protocol, something which is not known to 
be possible classically ( |Yao95| . [BF10| ). 

In related work, Salvail, Schaffner and Sotakova [SSS09J have quantitatively studied a 
different notion of security for OT protocols (and generally any two-party protocols) that 
they call information leakage. Information leakage is defined as the maximum amount of 
extra information about the other party's output given the quantum state held by one 
party. They prove, among other results, that any l-out-of-2 OT protocol has a constant 
leakage. Their model is somewhat different, for example they do not allow the players 
to abort during the protocol, and their security notion is described in terms of mutual 
information and entropy and does not immediately translate to our security notion of 
guessing probabilities. However, their results provide more evidence that almost-perfect 
OT protocols are impossible for different variants of security. 

In another work, Jain, Radhakrishnan and Sen [JRS02] showed that in a 1-out-of-n OT 
protocol, if Alice gets t bits of information about Bob's index b, then Bob gets at least 
Q(n/2°( t >) bits of information about Alice's string x. 

In this paper, we quantitatively study the bias of quantum oblivious transfer protocols. 
More precisely, we construct a coin flipping protocol that uses OT as a subroutine and 
show a relation between the cheating probabilities of the OT protocol and the ones of the 
coin flipping protocol. Then, using Kitaev's lower bound for coin flipping we derive a non- 
trivial lower bound (albeit weaker) on the cheating probabilities for OT. More precisely 
we prove the following theorem. 

Theorem 1 In any quantum, oblivious transfer protocol, we have 

A OT ■ f(Bor) > 1/2 
where f is a function that we define later. This implies for the bias e of the protocol that 

e>^V|^-V|) 4 « 0.0586. 

Moreover, in Section|3]we describe a simple l-out-of-2 random-OT protocol and analyze 
the cheating probabilities of Alice and Bob. 

Theorem 2 There exists a quantum oblivious transfer protocol such that Aot = Bot = § • 

One may wonder if it would be possible to extend Kitaev's semidefinite programming 
formulation to include the OT primitive and get a stronger lower bound this way. In fact, 
in Section [5] we describe a generalisation of Kitaev's semidefinite program that captures 
a variant of the general fc-out-of-n OT primitive. Coin flipping, is then the special case 
of 1-out-of-l OT. However, there is a big difference. What the semidefinite program 



formulation captures is the probability that one player can force the outcome of the other 
one. 

More precisely, we define a /c-out-of-n forcing oblivious transfer protocol, denoted here 
as (?)-fOT, with forcing bias e as a protocol satisfying: 

• Alice outputs n random bits x := (x\, . . . , x n ) 

• Bob outputs a random index set b of k indices and bit string Xb consisting of X{ for 
i G b 

• Ab /Xb := sup{Pr[Alice can force Bob to output (b, X&)]} = 



) -2 k 



&B 

B x := sup{Pr[Bob can force Alice to output x]} = — — 



• The forcing bias of the protocol is defined as e := maxjeyi, es} 

where, again, the suprema are over all strategies of Alice and Bob respectively. First, notice 
our definition of the bias e as a multiplicative factor instead of additive. We choose this 
since the honest probabilities of the two players can be very different and in this case our 
definition makes more sense. 

More importantly, this 'forcing' security definition is exactly what is needed in coin 
flipping, since there, Alice and Bob know each others outputs and the only cheating is 
forcing the other player's output in order to get a specific value for the coin. However, this 
is very different than the probability that one player can guess the outcome of the other 
player, which is the security guarantee we wish for in an OT protocol. 

Nevertheless, it is still interesting to know how one can extend Kitaev's semidefinite 
programming formulation, what are the most general primitives that can be described in 
this framework, and what are their applications. For these fc-out-of-n "forcing" primitives 
we provide optimal upper and lower bounds. 

Theorem 3 In any (?) -fOT protocol and consistent b, x, x^ we have 

1 



B x ' Af, x > Pr[Alice honestly outputs x and Bob honestly outputs (b,Xb)] 



i—k 

In particular, the forcing bias satisfies e > V2 . 



(2)* 



Note that for the special case of coin flipping, or else ( 1 )-fOT, our bounds are tight (a 
tiplicative bias of \pl is equivalent to a cheating probability of —/=)■ 
Similar to coin flipping, one can get optimal protocols as well for (?)-fOT. 



Theorem 4 Let 7 > 0. There exists a protocol for (^)-fOT with cheating probabilities: 
/or consistent b,x,Xf,. 

2 Preliminaries 

2.1 Definitions of Primitives 

We assume the reader is familiar with the basic notions of quantum computing. All used- 
notions can be found in |NC00] . 

In the literature, many different variants of oblivious transfer have been considered. In 
this paper, we consider two variants of quantum oblivious transfer and for completeness 
we show that they are equivalent with respect to the bias e. 

Definition 1 (Random Oblivious Transfer) A l-out-of-2 quantum random oblivious 
transfer protocol with bias e, denoted here as random-OT, is a protocol between Alice and 
Bob such that: 

• Alice outputs two bits (xq,x\) or Abort and Bob outputs two bits (b,y) or Abort 

• If Alice and Bob are honest, they never Abort, y = Xb, Alice has no information about 
b and Bob has no information about x-^. Also, Xo,X\,b are uniformly random bits. 

• Aot '■= sup{Pr[^4/ice guesses b and Bob does not Abort]} = ^ + £A 

• Bot '■= sup{Pr[5o6 guesses (xq,xi) and Alice does not Abort]} = \ + es 

• The bias of the protocol is defined as e := max{e,4, cb} 

where the suprema are taken over all cheating strategies for Alice and Bob. 

Note that this definition is slightly different from usual definitions because we want the 
exact value of the cheating probabilities and not only an upper bound. This is because 
we consider both lower bounds and upper bounds for OT protocols but we could have 
equivalent results using the standard definitions. 

An important issue is that we quantify the security against a cheating Bob as the 
probability that he can guess (xq,xi). One can imagine a security definition where Bob's 
guessing probability is not for (xo,x\), but for example for xq © x\ or any other function 
f(xQ,xi). Since we are mostly interested in lower bounds, we believe our definition is 
the most appropriate one, since a lower bound on the probability of guessing (xo,^i) 
automatically yields a lower bound on the probability of guessing any f{xQ,x\). 

We now define a second notion of OT where the values (rEo,a;i) and b are Alice's and 
Bob's inputs respectively and show the equivalence between the two notions. 
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Definition 2 (Oblivious Transfer) A 1- out- of- 2 quantum oblivious transfer protocol with 
bias e, denoted here as OT, is a protocol between Alice and Bob such that: 

• Alice has input xq,x± G {0, 1} and Bob has input b G {0, 1}. At the beginning of the 
protocol, Alice has no information about b and Bob has no information about (xoj^i) 

• At the end of the protocol, Bob outputs y or Abort and Alice can either Abort or not 

• If Alice and Bob are honest, they never Abort, y = Xb, Alice has no information about 
b and Bob has no information about xt 

• Aot '■= sup{Pr[^4/ice guesses b and Bob does not Abort]} = ^ + ^A 

• Bqt '■= sup{Pi[Bob guesses (xq,x\) and Alice does not Abort]} = h + €b 

• The bias of the protocol is defined as e := max{e^, e#} 

where the suprema are taken over all cheating strategies for Alice and Bob. 

We also define quantum (strong) coin flipping. 

Definition 3 A quantum coin flipping protocol with bias e, denoted here as CF, is a 
protocol between Alice and Bob who agree on an output a G {0, 1, Abort} such that: 

• If Alice and Bob are honest then Pr[a = 0] = Pr[a = 1] = ^ 

• Aqf '■= sup{max{Pr[a = 0],Pr[a = 1]}} = \ + ca 

• Bcf '■= sup{max{Pr[a = 0], Pr[a = 1]}} = ^ + e# 

• The bias of the protocol is defined as e := maxjeA, c_b} 
where the suprema are taken over all strategies for Alice and Bob. 

2.2 Equivalence between the different notions of Oblivious Transfer 

We show the equivalence between OT and random-OT with respect to the bias e. 

Proposition 1 Let P an OT protocol with bias e. We can construct a random-OT protocol 
Q with bias e using P. 

Proof The construction of the OT protocol Q is pretty straightforward: 

1. Alice picks xq,x± Gr {0,1} uniformly at random and Bob picks b Gr {0, 1} uniformly 
at random. 



2. Alice and Bob perform the OT protocol P where Alice inputs Xq,X\ and Bob inputs 
b. Let y be Bob's output. Note that at this point, Alice has no information about b 
and Bob has no information about {xq,X\). 

3. Alice and Bob abort in Q if and only if they abort in P. Otherwise, the outputs of 
protocol Q are (xo,#i) for Alice and (b,y) for Bob. 

The outcomes of Q are uniformly random bits since Alice and Bob choose their inputs 
uniformly at random. All the other requirements that make Q an OT protocol with bias 
e are satisfied because P is an OT protocol with bias e. 

We now prove how to go from a random-OT to an OT protocol. 

Proposition 2 Let P a random-OT protocol with bias ep. We can construct an OT 
protocol Q with bias cq = ep using P. 

Proof Let P a random-OT protocol with bias ep. Consider the following protocol Q: 

1. Alice has inputs Xq,X\ and Bob has an input B. 

2. Alice and Bob run protocol P and output {xq,x\) for Alice and (b, y) for Bob. 

3. Bob sends r = b © B to Alice. Let x' c = x c § r , for c G {0, 1}. 

4. Alice sends to Bob (sq, si) where s c = x' c © X c for c G {0, 1}. Let y' = y © sp. 

5. Alice and Bob abort in Q if and only if they abort in P. Otherwise, the output of 
the protocol is y' for Bob. 

We now show that our protocol is an OT protocol with inputs with bias e. First, note 
that the values x' c are known by Alice and the value y' is known by Bob. Also, notice that 

x p = x B®r = x b- 

• Alice and Bob are honest: 

By definition we have y = Xb- Then, we have y' = y © sp = x\, © sp = x' B © sp = 
Xp. Moreover, Alice knows r but has no information about b and hence she has no 
information about B = 6©r. Bob knows (so, s\) and r but has no information about 
xj, hence he has no information about Xg- = x'^ © s§ = x'r © sj er = xg © sj er . 

• Cheating Alice: 

Alice picks r and B = b © r. Hence 

Aot{Q) = sup{Pr [Alice guesses B and Bob does not Abort]} 

= sup{Pr [Alice guesses b and Bob does not Abort]} = Aqt(P)- 



• Cheating Bob: Bob picks a random r, sends r to Alice and then Alice picks (so, si). 
We have X c = x' c ® s c = x c ^, r ® s c so it is equivalent for Bob to guess ( Xq , X\ ) and 
(xo,xi). Hence 

Bot(Q) = sup{Pr[Bob guesses (Xq,X\) and Alice does not Abort]} 

= sup{Pr[Bob guesses (xq,xi) and Alice does not Abort]} = Bot(P)- 

We can now conclude for the biases 

e Q = max{Ao T (Q),BoT{Q)} - ^ = max{A OT (P),BoT(P)} ~2 =ep - 

2.3 Technical Claims 

Claim 1 ([DW09] following |Nay99|) Suppose we have a classical random variable X, 
uniformly distributed over [n] = {1, . . . ,n}. Let x — > \(p x ) be some encoding of [n], where 
\<j) x ) is a pure state in a d-dimensional space. Let P%, . . . , P n be the measurement operators 
applied for decoding; these sum to the d-dimensional identity operator. Then the probability 
of correctly decoding in case X = x is 

Px = \\Px\4>x)\\ 2 <Tt{p x ). 



The expected success probability is 



-X> < -I>(^) = -Tr \JZ P A = - Tr « 
n ^-^ n * — ' n \ ^-^ I n 

x=l x=l \a;=l / 



d 

n 



Claim 2 Let \X) be a pure state, Q a projection, and \Y) a pure state such that Q\Y) 
\Y). Then we have 

\X)f 2 >\(X\Y)\ 2 . 



Proof Using Cauchy-Schwarz we have 

|<A|Y>| 2 = |<A|Q|Y>| 2 < ||Q|X)|| 2 |||y)|| 2 = HQPOH 2 . 
D 
Claim 3 Suppose 6,6' G [0,vr/4]. If \{i/}\<f>)\ > cos(6) and \(<f>\£)\ > cos(6') then 

MO\>™s(e + e'). 

Proof Define the angle between two pure states \ip) and \cp) as A(tjj,(j)) := arccos 
This is a metric (see |NC00| page 413). Thus we have 

arccos |(^|0I =A(i/),£) <A(i/;,<f>) +A(4>,£) = arccos |(V#)| + arccos |(^|0 1 < 6 + 6' . 
Taking the cosine of both sides yields the result. □ 
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Claim 4 Let 6,p£ [0,tt/4]. Then 

cos(6> + p) > cos 2 ((9) + cos 2 (p) - 1. 

Proof Wlog suppose that > p. Consider the function 

f(0) = cos(6 + p) - cos 2 (#) + sin 2 (p) 

for fixed p. Taking its derivative we get 

f(0) = - s\n{6 + p) + sin(2fl) 

which is nonnegative for G [p, 7r/4]. Since /(p) = 0, we conclude that f(8) > for 
G [p, 7r/4] which gives the desired result. D 

3 A Lower Bound on Any Oblivious Transfer Protocol 

In this section we prove that the bias of any random-OT protocol, and hence any OT 
protocol, is bounded below by a constant. We start from a random-OT protocol and first 
show how to construct a coin flipping protocol. Then, we prove a relation between the 
cheating probabilities of the coin flipping protocol and those in the random-OT protocol. 
Last, we use Kitaev's lower bound for coin flipping to derive a lower bound for any OT 
protocol. 



3.1 From Oblivious Transfer to Coin 


i Flipping 




Coin Flipping Protocol via random-OT 






1. Alice and Bob perform the OT protocol 


to create (xo,xi 


) and (6, x^) respectively. 


If the OT protocol is aborted then so is 


:he coin flipping 


protocol. 


2. Alice sends c £r {0, 1} to Bob. 






3. Bob sends b and y = Xf, to Alice. 






4. If xi, from Bob is consistent with Alice's 


bits then the output of the protocol is c © b. 


Otherwise Alice aborts. 







By definition, Aot and Bot denote the optimal cheating probabilities for Alice and Bob 
in the random-OT protocol and Aqf an d Bqf denote the optimal cheating probabilities for 
Alice and Bob in the coin flipping protocol. Kitaev's lower bound says that AqfBcf > 1/2. 
We use this inequality to derive an inequality involving Aqt and Bot- 
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Theorem 1 In any quantum oblivious transfer protocol, we have 

A OT • f{B OT ) > 1/2 
for the function f defined aqj 

f(z) = -{3V3V27z 2 - 2z + 27z - 1) 1/3 + -(zVsV^z 2 - 2z + 27z - l)" 1 / 3 + 1/3. 
6 6 

This implies that the bias e of the protocol satisfies 

1 ( [i 7- [T\ 1 

- - « 0.0586. 

2 

In what follows we prove the above theorem. 

Let — i_L^ (resp. ->A-g) denote the event "Alice (resp. Bob) does not abort during 
the entire coin flipping protocol". Let -| J-2 (resp. -i_Lg ) denote the event "Alice (resp. 
Bob) does not abort during the random-OT subroutine" . 

Cheating Alice By definition, Aqt is the optimal probability of Alice guessing b in the 
random-OT protocol without Bob aborting. Suppose Alice desires to force in the coin 
flipping protocol (a similar argument can be made if she wants 1). Bob must not abort and 
Alice must send c = b in her last message. Notice also that in our coin flipping protocol, 
Bob can abort only in the OT subroutine and hence _, -L^ T = -i_l_g . Thus, 

A C f = sup{Pr[ (Alice sends c = 6)A-._L§ F ]} = sup{Pr[ (Alice guesses 6)A-._L^ T ]} = A OT- 

where the suprema are taken over all possible strategies for Alice. 

Cheating Bob By definition, B<jt is the optimal probability of Bob learning both bits 
in the random-OT protocol without Alice aborting. Thus, 

Bot = sup{Pr[ (Bob guesses {xq,x\)) A — i_L^ ]} 

= sup{Prh_L^ T ] • Pr [ (Bob guesses (x , x 1 ))\^±% T ]}. 

where the suprema are taken over all strategies for Bob. 

If Bob wants to force in the coin flipping protocol (a similar argument works if he 
wants to force 1), then first, Alice must not abort in the random-OT protocol and second, 
Bob must send b = c as well as the correct x c such that Alice does not abort in the last 
round of the coin flipping protocol. This is equivalent to saying that Bob succeeds if he 
guesses x c and Alice does not abort in the random-OT protocol. Since c is chosen by Alice 
uniformly at random, we can write the probability of Bob cheating as 



1 / is the inverse function of g(x) = x(2x — l) 2 on some domain, see the proof for more details. 

11 



Bqf ~ max <j - Pr[(Bob guesses xq) A ^-\-a T ] + 7: Pr[(Bob guesses x\) A - i -L^ T ] 

max <J Pr[^_L^ T ] • ( - Pr[(Bob guesses x )\^±^ T ] + - Pr[(Bob guesses xi)\^l^'\ 



Notice that we use "max" instead of "sup" above. This is because an optimal strategy 
exists for every coin flipping protocol. This is a consequence of strong duality in the 
semidefinite programming formalism of [Kit03], see [ABDR04] for details. 

Let us now fix Bob's optimal cheating strategy in the CF protocol. For this strategy, let 
p = Pr[(Bob guesses xo)| _, J-2 T ], q = Pr[(Bob guesses xi)|-i_L^ T ] and a = ^j 2 . Note that 
wlog, we can assume that Bob's measurements are projective measurements. This can be 
done by increasing the dimension of Bob's space. Also, Alice has a projective measurement 
on her space to determine the bits (xo,x\). 

We use the following lemma to relate Bqf and Bot- 

Lemma 1 (Learning-In-Sequence Lemma) Let p,q G [1/2,1]. Let Alice and Bob 
share a joint pure state. Suppose Alice performs on her space a projective measurement 
M = {M XOjXl } XQ Xie { i}to determine the values of (a?o,a?i)- Suppose there is a projective 
measurement P = {Pq,Pi} on Bob's space that allows him to guess bit x$ with probability 
p and a projective measurement Q = {Q01Q1} on his space that allows him to guess bit 
x\ with probability q. Then, there exists a measurement on Bob's space that allows him to 
guess (xo,x\) with probability at least a(2a — l) 2 where a = ^±2. 

We postpone the proof of this lemma to Subsection 13.21 

We now construct a cheating strategy for Bob for the OT protocol: Run the optimal 
cheating CF strategy and look at Bob's state after step 1 conditioned on -i_L^ T . Note 
that this event happens with nonzero probability in the optimal coin flipping strategy 
since otherwise the success probability is 0. The optimal CF strategy gives measurements 
that allow Bob to guess xo with probability p and x\ with probability q. Bob uses these 
measurements and the procedure of Lemma Q] to guess {xq,x\). Let b be the probability 
he guesses {xq,x\). From Lemma [lj we have that b > a(2a — l) 2 . By definition of Bot 
and BcF-, we have: 

OT] ^ Bot __j Bqf 



Pr[ (Bob guesses (x ,xi))\^± A } < and „- 



This gives us 



Bot . Bcf ( n Bqf 



PrhJ.^] " Pr[-.J.^] V Prh-L^] 



2 



2 



— 7T7 — TTrfT 2 7T~J — TTrfT ~ * =^ B ot > B C f {2B C f ~ 1) , 
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where the implication holds since Bqf > 1/2. 

We now calculate an upper bound on Bqf as a function of Bot- Let g(x) = x(2x — l) 2 . 
It can be easily checked that g is bijective from [0.5, 1] to [0, 1] and increasing. Let / be 
the inverse function of g from [0, 1] to [0,0.5]. Since g is increasing, / is also increasing. 
Hence, since Bot > 9(Bcf) and Bcf S [0.5, 1], we conclude that 

Bcf < I{Bot)- 
We can write / analytically using computer software to get the following function 

f(z) = -{3V3V27z 2 -2z + 27z - 1) 1/3 + -(3VsV27z 2 - 2z + 27z - 1)~ 1/3 + 1/3. 
6 6 

Kitaev's lower bound states that AcfBcf > 1/2. From this, we have 

AotKBot) > AcfBcf > 1/2. 
We now proceed to give the lower bound for the bias. Since / is increasing, we have 

(e + 1/2) • f{e + 1/2) > A t!{B t) > A CF B C f > 1/2. 
Solving the inequality we show that e must satisfy 



£ ^(^ +2 ^-V / i)-^°- 0586 - 



□ 



3.2 Proof of the Learning-In-Sequence Lemma 

The Learning-in-Sequence Lemma follows from the following simple geometric result. 

Lemma 2 Let \ip) be a pure state and let {C,I — C} and {D,I — D} be two projective 
measurements such that 

cos 2 (#) := \\Cm\\l > \ ™d cos 2 (9') := \\D\1>)\\l > \. 

Then we have 

\\DC\^)\\ 2 2 >cos 2 (6)cos 2 (6 + e'). 

Proof Define the following states 

cwt ly , N {i -cm m {i -om 

\ A I ■- ii/ol/aii ' l A / •- TT77 /-ni„/,\n ' \ Y I ■- iini„>.\n ' \ Y I ■- 



\\{i-cm\\2 ' '■ iw>ii 2 ' ' '" w-d 
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Then we can write \ip) = cos(0)|X) + e ia sm(9)\X') and \ip) = cos(0')l^) + ^ sm(9')\Y') 
with a, f3 E M. Then we have 

\\DC\ml = cos 2 (8)\\D\X)\\l 

> cos 2 (9)\(Y\X)\ 2 using Claim [2] 

> cos 2 (9) cos 2 (9 + 6') using Claim El □ 

□ 

We now prove Lemma [TJ 

Proof Let \£1)ab be the joint pure state shared by Alice and Bob, where A is the space 
controlled by Alice and B the space controlled by Bob. 

Let M = {M XOtXl } XoXl€ { iy be Alice's projective measurement on A to determine her 
outputs xo,xi. Let P = {Pq,P\} be Bob's projective measurement that allows him to 
guess xo with probability p = cos 2 (9) and Q = {Qo,Qi} be Bob's projective measurement 
that allows him to guess x\ with probability q = cos 2 (9'). These measurements are on B 
only. Recall that a = 2±2 = [ > ^ os [ > _ \\A e consider the following projections on AB: 

C = Y^ M x , Xl ® Px and D = ^ M * ,zi ® Qxy 

XQ,Xl Xq,Xi 

C (resp. D) is the projection on the subspace where Bob guesses correctly the first bit 
(resp. the second bit) after applying P (resp. Q). 

A strategy for Bob to learn both bits is simple: apply the two measurements P and Q 
one after the other, where the first one is chosen uniformly at random. 

The projection on the subspace where Bob guesses (xo,a?i) when applying P then Q is 

E = Y M *o,zi ® Qxi-Pxo = DC. 

XQ,X\ 

Similarly, the projection on the subspace where Bob guesses (xq, x{) when applying Q then 
Pis 

F = Y M X0 , X1 ® P X0 Q X1 = CD. 

xo,xi 

With this strategy Bob can guess both bits with probability 

5(||J5|n>||i + ||F|n>||i) 

= l(\\DC\Q)\\ 2 + \\CD\m 2 2) 

> - (cos 2 (8) + cos 2 (9')) cos 2 (8 + 9') using Lemma El 

> - (cos 2 (8) + cos 2 (9')) (cos 2 (9) + cos 2 (9') - l) 2 using Claim H 
= a(2a-l) 2 . 
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Note that we can use Lemma [2] since Bob's optimal measurement to guess xq and x\ 
succeeds for each bit with probability at least 1/2. □ 

4 A Two-Message Protocol With Bias 1/4 

We present in this section a random-OT protocol with bias 1/4. This also implies, as we 
have shown, an OT protocol with inputs with the same bias. 



Random Oblivious Transfer Protocol 

1. Bob chooses b €r {0, 1} and creates the state | </>;,) := -h=\bb) + 4=|22). 

2. Alice chooses xq,x\ £r {0,1} and applies the unitary \a) — > (—l) Xa \a), 
where X2 := 0. 

3. Alice returns the qutrit to Bob who now has the state \ipij) := L \bb) + —7= 1 22) 

4. Bob performs on the state \ipb) the measurement {IIo = |</>ft)((/>f,|,rii := |</> b )($J, 
J-n -n 1 } J where|^):=^|66)-^|22). 

If the outcome is IIo then Xb = 0, if it is IT then x\, = 1, otherwise he aborts. 



It is clear that Bob can learn xq or x\ perfectly. Moreover, note that if he sends half of 
the state -4=|00) + 4=|11) then he can also learn xq © x\ perfectly (although in this case he 
does not learn either of xo or ^l)- We now show that it is impossible for him to perfectly 
learn both xq and x\ and also that his bit is not completely revealed to a cheating Alice. 

Theorem 2 In the protocol described above, we have A<jt = Bot = | • 
Proof We analyze the cheating probabilities of each party. 

Cheating Alice 

Define Bob's space as B and let a^ := Trg(|</>&)(<j!>ft|) denote the two reduced states 
Alice may receive in the first message. Then, the optimal strategy for Alice to learn b is 
to perform the optimal measurement to distinguish between <to and o~\. In this case, she 

succeeds with probability 

1 1 3 

2 + 4 lko " ai|lfr = 4' 

(see for example [KN04J). Alice's optimal measurement is, in fact, a measurement in the 
computational basis. If she gets outcome |0) or |1) then she knows b with certainty. If she 
gets outcome |2) then she guesses. Notice also, that even after this measurement she can 
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return the measured qutrit to Bob and the outcome of Bob's measurement will always be 
either Hq or IIi. Hence, Bob will never abort. 

Cheating Bob 

Bob wants to learn both bits (xo,xi). We now describe a general strategy for Bob: 

• Bob creates \ip) = ^ oii\i) j\\ei) b and sends the A part to Alice. The |ej)'s are not 
necessarily orthogonal but Yli \ a i\ 2 = 1- 

• Alice applies U XOiXl on her part and sends it back to Bob. He now has the state 
\^xo,xx) = SiOiC-l)^!*')!^) recalling that x 2 := 0. 

At the end of the protocol, Bob applies a two-outcome measurement on \4>xo,xi) to get his 
guess for (xq,x\). 

From this strategy, we create another strategy with the same cheating probability where 
Bob sends a pure state. We define this strategy as follows: 

• Bob creates \ip') = ^ ot-i\i)A an d sends the whole state to Alice. 

• Alice applies U XQtXl on her part and sends it back to Bob. He now has the state 
\ipx ,xi) = 52i a i(~ l) Xi \i) recalling that x 2 := 0. 

• Bob applies the unitary U : \i)\0) — > \i)\et) to \tp' XQ X1 )\0) and obtains \ip Xo>xl ). 

To determine (xq,x\), Bob applies the same measurement as in the original strategy. 

Clearly both strategies have the same success probability. When Bob uses the second 
strategy, Alice and Bob are unentangled after the first message and Alice sends back a 
qutrit to Bob. Using Claim [Q we have 

Pr[Bob correctly guesses (xo,xi)] < 3/4. 

Note that there is a strategy for Bob to achieve 3/4. Bob wants to learn both bits 
(x ,xi). Suppose he creates the state 

|V) :=-^|0) + -Ll) + ^|2) 

Vs Vs Vs 

and sends it to Alice. The state he receives is 

ivw == ^(- i r°\o) + ^(-ini) + ^i 2 >- 

Then, Bob performs a projective measurement in the 4-dimensional basis {l^xo.n) : 
xq,xi £ {0,1}} where 

l*«o^i) == ^(-iriO) + \(-ir\l) +\\2) + i(-l)» o®*i|3>. 
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The probability that Bob guesses the two bits Xq,xi correctly is 



^2 ^Pr[Bob guesses (x ,xi)] = ^ j\{^x ,xMx ,xi)\ 

X(),Xl XQ,X\ 

Note that in our protocol Alice never aborts. 



5 Oblivious Transfer as a Forcing Primitive 

Here, we discuss a variant of oblivious transfer, as a generalisation of coin flipping, that 
can be analyzed using an extention of Kitaev's semidefinite programming formalism. 

Definition 4 (Forcing Oblivious Transfer) A k-out-of-n forcing oblivious transfer pro- 
tocol, denoted here as (^) -fOT, with forcing bias e is a protocol satisfying: 

• Alice outputs n random bits x := (x\, . . . ,x n ) 

• Bob outputs a random index set b of k indices and bit string Xb consisting of Xi for 
i 6 b 

• Af, tXb := sup{Pr[v4/ice can force Bob to output (b, Xb)]} 



• B x := sup{Pr[5o6 can force Alice to output x]} = — 

• The forcing bias of the protocol is defined as e = maxjeA, £_b} 

where the suprema are taken over all strategies of Alice and Bob. 

The main difference in this new primitive is the definition of security. Here, we design 
protocols to protect against a dishonest party being able to force a desired value as the 
output of the other player. In the previous section (and in the literature) oblivious transfer 
protocols are designed to protect against the dishonest party learning the other party's 
output. Notice, for example, that in coin flipping we can design protocols to protect against 
a dishonest party forcing a desired outcome, but both players learn the coin outcome 
perfectly. 

The primitive we have defined is indeed a generalization of coin flipping since we can 
cast the problem of coin flipping as a 1-out-of-l forcing oblivious transfer protocol. Of 
course, in ( 1 )-fOT Alice always knows Bob's index set so the forcing bias is the only 
interesting notion of security in this case. 

As we said, we define the bias e as a multiplicative factor instead of additive, since the 
honest probabilities can be much different and in this case our definition makes more sense. 
To relate this bias to the one previously studied in coin flipping we have that coin flipping 
protocols with bias s < \/2 + 5 exist for any 6 > 0, see [CK09], and weak coin flipping 
protocols with bias e < 1 + 5 exist for any 5 > 0, see |Moc07| . 
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5.1 Extending Kitaev's Lower Bound to Forcing Oblivious Transfer 

We now extend Kitaev's formalism from the setting of coin nipping to the more general 
setting of (]J)-fOT. 

Suppose Alice and Bob have private spaces A and B, respectively, and both have access 
to a message space A4 each initialized in state |0). Then, we can define an m-round (?)-fOT 
protocol using the following parameters: 

• Alice's unitary operators U A i, • • • , f/i m which act on A C3 M 

• Bob's unitary operators Ub,i, • • • , Ub,™ which act on M. <8> B 

• Alice's POVM {H A ,abort} U {nA,a; : x £ ^2} ac thig on A, one for each outcome 

• Bob's POVM {li-B, abort} ^{^-B,(b,x b ) '• b a k-element subset of n indices, x& € Z*} act- 
ing on B, one for each outcome 

We now show the criteria for which the parameters above yield a proper (?)-fOT protocol. 
In a proper protocol we require that Alice and Bob's measurements are consistent and that 
the outcomes are uniformly random when the protocol is followed honestly. Define 

\lp) := (I4 ® U B ,m)(UA,m (S) Is) ■ ■ ■ {I A ® U B ,l)(U A ,l ® Ib)\0)a®M®B 

to be the state at the end of an honest run of the protocol. Then, we require the unitary 
and measurement operators to satisfy the following condition: 

2 1 

\\(n_A,x®lM®'n-B,(b,x b ))\' l P)\\2 = T^w for ( x >b,x b ) consistent. 

Similar to coin flipping, we can capture cheating strategies as semidefinite programs. 
Bob can force Alice to output a specific x G TH^ with maximum probability equal to the 
optimal value of the following semidefinite program 

B x = max (ILa, x ® Im , Pa,n) 

subject to Tr M (p A>0 ) = \0){0\a 

Ttm(paj) = Ti m {Ua,jPA,j-iU A j), for j € {1, . . . , N} 

PA,o, ■ ■ ■ , PA,N € Pos(A®M), for je{0,...,N} 

where Pos(7{) is the set of positive semidefinite matrices over the Hilbert space "H. The 
states pi represent the part of the state under Alice's control after Bob sends his i'th 
message. The constraints above are necessary since Bob cannot apply a unitary on A. 
They are also sufficient since Bob can maintain a purification during the protocol consistent 
with the states above to achieve a cheating probability given by the corresponding objective 
value. 
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To capture Alice's cheating strategies we can do the same as for the cheating Bob and 
examine the states under Bob's control during the course of the protocol. That is, Alice can 
force Bob to output a specific /c-element subset b and Xb € Zr; with maximum probability 
equal to the optimal value of the following semidefinite program 

Ab, Xb = max (I M (g> H-B,(b,x b ),PB,N) 

subject to Tr M (p B ,o) = |0)(0|g 

T^M(PB,j) = Tr M (U B ,jPB,j-iU Bj ), for j € {1,...,N} 

Pb,o, • • • , Pb.n G Pos(X ® B), for j £{0,...,N} 

The proofs that these capture the optimal cheating probabilities are the same as those 
used for coin flipping in [Kit03j and [ABDR04]. Using these semidefinite programs we can 
prove the following Theorem. 

Theorem 3 In any (^)-fOT protocol and consistent b,x,Xf, we have 

B x ■ Ab tXb > ~Pr[Alice honestly outputs x and Bob honestly outputs (b,Xb)] 



(lP n ' 



k 



In particular, the forcing bias satisfies e > v2' 

Once we extended the semidefinite programming formulation, the proof of the theorem 
follows almost directly from the proof in [Kit03] and [ABDR04] for coin flipping except 
that the honest outcome probabilities are different in our case. Namely, for \ip) defined 
above, we have 

\\(IL AtX ®I M ®Il BtibtXb) )\i;)\\ 2 2 = -— 
when x, b, and x b are consistent and otherwise. 

5.2 A Protocol with Optimal Forcing Bias 

In this section we prove Theorem [5J First, consider the following protocol which achieves 
the bound in Theorem [3] but is asymmetric. Alice sends n random bits to Bob. Bob, then, 
outputs b, a random fc-index subset of n indices, and x^. In this protocol Bob can force a 
desired outcome with probability ^ and Alice can force a desired outcome with probability 
-ppr. Thus the product of the cheating probabilities is optimal, that is it achieves the lower 

\k) 

bound in Theorem [3j However the protocol is asymmetric. This can be easily remedied 
using coin flipping. We present an optimal protocol with this security definition. 
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An Optimal QM-fOT Protocol with Forcing Bias V2 

1. Bob outputs a random index set b of k indices and sends the result to Alice. 

2. Alice and Bob play a coin flipping game with bias V2 + 5 
(for a 5 > sufficiently small) to determine each bit in Xf,. 

3. Alice randomly chooses her bits not in b. 



Theorem 4 For any 7 > we can choose a 5 > such that the (^)-fOT protocol above 
satisfies for consistent b, x, x& 

A„<^'V ) and Bl <^ii±!i 

Proof Fix 7 > and a coin flipping parameter 5 > small enough so that ( -4= + | J < 

2 fc 7 ^ . This can be achieved by taking 5 = O(^). This sets an upper bound on the 

probability of forcing a k bit-string using k coin flipping protocols each with a maximum 
cheating probability of -4= + |. We now analyze each party cheating. For Alice cheating, 
she has no control over the index set but she can try to force a particular bit-string for Xb- 
Her maximum cheating probability is 

j_ (± + 5 S<— ^ fc ( 1+ ^) ^ fc a+7) 
0"U v -(i)' * dp k ' 

Bob has no control over Alice's n — k remaining bits so Bob can cheat with maximum 
probability 

1 (I | 5\ k ^ 1 y^ fc (l + 7 ) _ yjf(l_+7) _ n 



2»i-fc ^^ 2/ ~ 2 n_ * 2 fc 2" 

For the special case of LJ-fOT we have the following corollary. 

Corollary 1 (Optimal Q-fOT) 

There exists a ( 1 )-fOT protocol where each party has honest outcome probabilities of 1/4 
and neither party can cheat with probability higher than -m(l +7), for any 7 > 0. 

Note that we have strong coin flipping protocols with poly(m) rounds that achieve 5 = 
voiv(m) • Hence, our protocol also achieves 7 = , ^s with poly(m) rounds. 

Last, we remark that this protocol is completely classical with the exception of the 
quantum coin flipping subroutines. This is similar to the optimal coin flipping protocol in 
|CK09| designed using classical messages and optimal quantum weak coin flipping subrou- 
tines. 
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